Vulnerability Disclosure: SQL Injection in ConnX ESP HR Management System (CVE-2015-4043)

During an engagement for one of our clients we came across ConnX‘s ESP HR Management System and found that it was vulnerable to SQL Injection. In line with our responsible disclosure policy, the vendor of ConnX was contacted to advise them of the issue and they were advised that this information would be published in 90 days.

We have received an acknowledgement from ConnX in regards to this issue stating:

… we are now releasing a version of ConnX where the issue that you brought to my attention has been addressed.

90 days have now passed from our initial disclosure to ConnX, and we are publishing details of the issue.

ConnX‘s ESP HR Management system is an application designed to aid payroll management of staff in organisations. We have identified that the input validation in the username parameter of the login page was not implemented correctly as noted below:

  • Location: /frmLogin.aspx
  • Parameter: ctl00$cphMainContent$txtUserName

Exploitation of this vulnerability would allow attackers to extract the data used by the ESP HR Management System. This information includes sensitive employee personal details.

The full advisory can be found here.

Communication timeline:

  • 2015-03-25: ConnX contacted with details of vulnerability
  • 2015-04-20: ConnX replied with details about mitigation
  • 2015-06-30: Publication of vulnerability